Over the last few months, this column has examined the top threats in 2019, according to the 2019 cyber threatscape report, including geopolitical actors, evolving cybercriminals, ransomware, supply chain threats, and cloud vulnerabilities. This month we are focusing on the threat from your organization’s supply chain.
First, let’s revisit a widely reported data breach that occurred over five years ago….the Target breach. The attackers gained access to Target’s point of sale (PoS) machines and, they used that access to obtain customer credit information. In order to gain access to those PoS machines, the attackers needed someone’s credentials. Instead of attacking Target directly, the attackers went up the supply chain a little. The attackers targeted their HVAC supplier and used their credentials through the external vendor portal.
The Target data breach was the result of a trust relationship with a Fazio Mechanical, a small business with a reported $12.5 million in annual revenue. A small vendor is often exploited to attack the larger companies and was used, in this case, to launch the attack resulting in 41 million credit cards compromised and costing Target a massive amount.
There were many failures at Target that ultimately led to the data breach. For now, let’s focus on supply chain risks. For many parents, they realize that when they send their kids to school, there is a chance for the kids to bring home the germs and sickness that other students have in their classrooms. In many ways, parents realize that their children are only as healthy as the company they keep. The same principle could be applied to businesses and their supply chain partners.
A growing trend and threat seen in Accenture Security’s 2019 cyber threatscape report is that motivated attackers are increasingly attacking supply-chain and third-party partners, where compromises could lead to agreements in partner relationships. The threat is real, growing, and could impact your organization.
Some tips and recommendations can reduce your risks.
First, understand your vendor ecosystem. In a 2017 Ponemon Institute study, it was found that 35 percent of respondents indicated that third parties had access to confidential or sensitive information. Over half of the respondents did not have a comprehensive list of all third parties who have access to sensitive information. Over 10 percent of respondents could not determine if their third-party vendor experienced a data breach.
Before you can do anything else to protect your organization’s data, you really need to understand who has access to your data. Getting a handle on your third-party relationships will be a great start to that process.
Second, evaluate the security and privacy practices taken by your third-party vendors. This recommendation can take time, but should not be cut short. Examine the contracts of each third party to determine what it says. Also, you should conduct audits and assessments to evaluate the practices of third parties. Please note that you may need permission from the third-party to perform this.
Third, use the right technology to monitor third-party access. Just because there is a contractual relationship with a vendor, do not accept that as a sufficient security control. Add layers of protection between the third-party vendors and your organization’s data. That could include ensuring they only have access to the items on a need to know basis, logging all activity, and creating an inventory of access roles.
Additionally, it is always a good idea to add extra layers of authentication and protection for users that are higher risk or are outside of the normal domain.
Fourth, if your company does the previous three recommendations successfully, don’t sit back and assume everything is okay. Your organization should continuously monitor, continuously review, and continually look for ways to improve third-party security. An internal team should regularly review third-party policies, programs, contracts, security controls. Don’t just say it. Make this continuous review as part of your organization’s security policy and a regular procedure.
Third-party vendors are a risk to your organization, and if you are a vendor to another company, you are a risk to them.
Ultimately, if your company owns the data, you are responsible. You will be held accountable for a breach. Go back to the Target example. While the HVAC company was the avenue used to breach the Target system, it was Target that was impacted.
It was Target who paid over $292 million dollars. It was Target who had its business significantly impacted. While there were several layers, technical, management, and policy, to the Target breach, the responsibility was on Target.
If your third-party vendors lead to a compromise at your organization, you will be responsible, as well.
Michael Ramage is the director of the Center for Computer and Information Technology at Murray State University. The Center for CIT researches various areas of computer and information technology as well as serving as a liaison between the academic and private sectors to ensure a sufficient technology workforce is available. Reach him at firstname.lastname@example.org, or 270-809-3987, for more information.
Originally published in the Four Rivers Business Journal.